{ pkgs, lib, ... }: {

  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ 80 443 22 ];
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "markers711@gmail.com";
  };

  virtualisation.docker = { enable = true; };

  services = {
    openssh = { enable = true; };

    jellyfin = { enable = true; };

    fail2ban = { enable = true; };

    gitea = {
      enable = true;
      settings = {
        service.DISABLE_REGISTRATION = true;
	service.ENABLE_PUSH_CREATE_USER = true;
        server = {
          HTTP_PORT = 8001;
          DOMAIN = "dhilton.xyz";
          ROOT_URL = "https://git.dhilton.xyz";
          ENABLE_PUSH_CREATE_USER = true;
        };
      };
    };

    gitea-actions-runner.instances.home = {
      enable = true;
      url = "https://git.dhilton.xyz";
      name = "nixsrv";
      token = "LaqTWUDidsm510TGBglGvcphsUxYmCzMjrZbEtJj";
      labels = [
        "ubuntu-latest:docker://catthehacker/ubuntu:act-latest"
        "ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04"
        "ubuntu-20.04:docker://catthehacker/ubuntu:act-20.04"
        "ubuntu-18.04:docker://catthehacker/ubuntu:act-18.04"
        "native:host"
      ];
    };

    home-assistant = {
      enable = true;
      extraComponents = [ "wiz" "fail2ban" ];
      config = {
        default_config = { };
        "automation ui" = "!include automations.yaml";
        http = {
          use_x_forwarded_for = "true";
          trusted_proxies = [ "127.0.0.1" ];
          server_port = 8003;
        };
      };
    };

    ntfy-sh = {
      enable = true;
      settings = {
        listen-http = ":8004";
        auth-file = "/var/lib/ntfy.db";
        auth-default-access = "read-only";
        base-url = "https://ntfy.dhilton.xyz";
      };
    };

    searx = {
      enable = true;
      settings = {
        server.port = 8005;
        server.secret_key = "secretlol";
      };
    };

    nginx = {
      enable = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;

      virtualHosts = {

        "dhilton.xyz" = {
          enableACME = true;
          forceSSL = true;
          root = "/var/www/dhilton";
        };

        "git.dhilton.xyz" = {
          enableACME = true;
          forceSSL = true;
          locations."/" = {
            proxyPass = "http://127.0.0.1:8001";
            proxyWebsockets = true;
          };
        };

        "ntfy.dhilton.xyz" = {
          forceSSL = true;
          enableACME = true;
          locations."/" = {
            proxyPass = "http://127.0.0.1:8004";
            proxyWebsockets = true;
          };
        };

        "jel.dhilton.xyz" = {
          forceSSL = true;
          enableACME = true;
          locations."/" = {
            proxyPass = "http://127.0.0.1:8096";
            proxyWebsockets = true;
          };
        };

        "puf.dhilton.xyz" = {
          forceSSL = true;
          enableACME = true;
          locations."/" = {
            proxyPass = "http://127.0.0.1:8002";
            proxyWebsockets = true;
          };
        };

        "srx.dhilton.xyz" = {
          forceSSL = true;
          enableACME = true;
          locations."/" = {
            proxyPass = "http://127.0.0.1:8005";
            proxyWebsockets = true;
          };
        };

        "hom.dhilton.xyz" = {
          forceSSL = true;
          enableACME = true;
          locations."/" = {
            proxyPass = "http://127.0.0.1:8003";
            proxyWebsockets = true;
          };
        };
      };
    };
  };
}